KR102006220B1 - Apparatus and method for reconfiguring signiture - Google Patents

Abstract

The present invention relates to an apparatus and method for reconstructing a signature used in a signature-based abnormal traffic detection technique. To this end, according to the present invention, the method for reconstructing a signature comprises the steps of: selecting one signature from a signature list stored in a database, and dividing the selected signature into a plurality of signature fragments; inspecting the plurality of signature fragments for a plurality of load elements to calculate a first influence degree for each of the plurality of load elements; calculating a second influence degree for each of the plurality of load elements by applying weights for the plurality of load elements to the first influence degree, respectively; summing second influence degrees corresponding to each signature fragment from the calculated second influence degrees to calculate a final load impact for each signature fragment; and rearranging the order of the plurality of signature fragments according to a magnitude of the calculated final load impact.

Description

Signature reconstruction apparatus and method {APPARATUS AND METHOD FOR RECONFIGURING SIGNITURE}

The present invention relates to an apparatus and method for reconstructing a signature used in a signature-based abnormal traffic detection technique, and more particularly to a signature reconstruction apparatus capable of optimizing each signature by rearranging a sequence of a plurality of signature fragments that make up a signature. And to a method.

Internet service provider (ISP) companies are increasing due to the proliferation of computers and the Internet. ISP refers to a company that provides Internet access services and web sites to individuals and companies. ISP companies provide a wide range of information and communication networks. However, as the number of ISP companies increases, the side effects are increasing rapidly. In particular, worms, viruses, backdoors and ransomware that generate abnormal traffic through peer-to-peer (P2P) application services and e-mail are widely distributed on the Internet, and their attack techniques are also advanced and diversified. The trend is going. Since these attack techniques threaten the safety and reliability of the information communication network, there is a need for a method for detecting and responding to the occurrence of an attack in advance.

Among the techniques for detecting abnormal signs of information and communication network, there is a signature-based abnormal traffic detection technique. The signature indicates the characteristics of the traffic, and means a bit pattern found only in the corresponding application protocol among messages transmitted and received on the network to perform a specific application protocol. Signatures can usually be stored in memory in the form of regular expressions.

Regular expressions are a formal language used to represent a set of strings with specific rules, and are used primarily for text pattern matching in most applications, including various search engines and text editors. However, if the regular expression is formed in a highly flexible form (for example, if the regular expression is represented by a data type representing an unspecified expression or length or a short length), the pattern of texts to be matched may be excessively large and the calculation amount may increase. have. In addition, when the matching range is ambiguous, when the data structure is expressed, regression of the search structure may occur frequently. As such, the load cost is high for the case where many repetitive calculations occur due to the occurrence of frequent sessions.

Meanwhile, the abnormal traffic detection technique using the signature is performed by detecting a packet including a signature among the packets transmitted to the server, and determining whether the detected packet is an abnormal packet. However, when detecting abnormal traffic using a signature with a high load cost, the system load of the security system is increased because a signature having a large load cost should be checked for every packet transmitted. This problem can cause serious problems when large attacks such as Distributed Denial of Service Attack (DDoS) occur. Therefore, in view of the load cost, a new method for reconfiguring signatures used for detection of abnormal traffic is required.

Korean Registered Patent No.1633649

The present invention is applied to network equipment that detects abnormal traffic on the basis of signature, and calculates the influence of each element that affects search time in the process of converting multiple signatures into searchable data structures, and based on the optimization process It is an object of the present invention to provide a signature reconstruction apparatus and method capable of rearranging the order of the signature fragments constituting the signature.

The signature reconstruction method for signature-based abnormal traffic detection of the present invention for solving the above problems comprises the steps of selecting one signature from a signature list stored in a database, and dividing the selected signature into a plurality of signature fragments; Inspecting the plurality of signature fragments for a plurality of load elements to produce a first degree of influence for each of the plurality of load elements; Calculating second influence for each of the plurality of load elements by applying weights for the plurality of load elements to the first influence; Summing second influences corresponding to each signature fragment from the calculated second influences to calculate a final load impact for each signature fragment; And rearranging the order of the plurality of signature fragments according to the magnitude of the calculated final load impact.

In addition, at least two of the weights for the plurality of load elements may be different.

The weight may be adjusted according to at least one of a signature configuration, a pattern search algorithm, and a specification of a security device that performs signature-based abnormal traffic detection.

In addition, the checking of the plurality of load elements may include a grammar check of the pattern included in the signature fragment, and the calculating of the first impact may include calculating a first influence according to the grammar of the pattern included in the signature fragment. It may include.

In addition, the inspection of the plurality of load elements includes the inspection of the length of the signature fragment, and the calculating of the first impact may include calculating the first impact according to the length inspection so that the smaller the length of the signature fragment is, the larger the size becomes. It may include a step.

In addition, the checking of the plurality of load elements may include checking an automata active state size of the signature fragment, and calculating the first impact level comprises calculating a first influence according to the automata active state size of the signature fragment. It may include.

In addition, the inspection of the plurality of load elements may include checking the automata active state search space size of the signature fragment, and calculating the first influence may include determining a first influence according to the automata active state search space size of the signature fragment. It may include the step of calculating.

In addition, the signature reconstruction method according to an embodiment of the present invention comprises the steps of checking whether a plurality of signature fragments match a predetermined penalty condition; And assigning a penalty value to the signature fragment that matches the penalty condition, and calculating the final load impact for each signature fragment comprises, in the case of a signature fragment given a penalty value, the final load impact calculated. And summing the penalty values assigned to.

The signature reconstruction apparatus for detecting signature-based abnormal traffic according to the present invention for solving the above problems comprises: a signature division unit for selecting one signature from a signature list stored in a database and dividing the selected signature into a plurality of signature fragments; A load element inspecting unit inspecting a plurality of signature fragments with respect to the plurality of load elements, and calculating a first degree of influence for each of the plurality of load elements; A weight processor configured to calculate a second influence degree for each of the plurality of load elements by applying weights of the plurality of load elements to the first influence degree, respectively; And summing second influences corresponding to each signature fragment from the calculated second influences to calculate a final load influence on each signature fragment, and calculating a plurality of signature fragments according to the calculated final load influence. It may include a signature reconstruction unit for rearranging the order.

The signature reconstruction apparatus of the present invention for solving the above problems may include a controller for performing the above-described method.

The signature reconstruction apparatus and method according to an embodiment of the present invention may configure a more optimized search environment by rearranging each order based on a load factor determined as a main element among signature fragments included in each signature.

In addition, the signature reconstruction apparatus and method according to an embodiment of the present invention may reflect the influence of the signature, hardware equipment, network, etc. in an arithmetic numerical value to the load influence.

1 is a conceptual diagram of an abnormal traffic detection system according to an embodiment of the present invention.
2 is a block diagram of a signature reconstruction apparatus according to a first embodiment of the present invention.
3 is a conceptual view illustrating a method of reconfiguring one signature through the signature reconstruction apparatus according to the first embodiment of the present invention.
4 is a block diagram of a signature reconstruction apparatus according to a second embodiment of the present invention.
5 is a conceptual diagram illustrating a method of reconstructing one signature through the signature reconstruction apparatus according to the second embodiment of the present invention.
6 is a block diagram of a signature reconstruction apparatus according to a third embodiment of the present invention.
7 illustrates an example of an automata generated through the automata generator.
FIG. 8 is a conceptual diagram illustrating a method of reconfiguring one signature through the signature reconstruction apparatus according to the third embodiment of the present invention.
9 is a flowchart illustrating a signature reconstruction method according to an embodiment of the present invention.

The present invention will now be described in detail with reference to the accompanying drawings. Hereinafter, a repeated description, a known function that may obscure the gist of the present invention, and a detailed description of the configuration will be omitted. Embodiments of the present invention are provided to more fully describe the present invention to those skilled in the art. Accordingly, the shapes and sizes of the elements in the drawings and the like can be exaggerated for clarity.

1 is a conceptual diagram of an abnormal traffic detection system 1000 according to an embodiment of the present invention. The abnormal traffic detection system 1000 according to an embodiment of the present invention includes a plurality of clients 1a, 1b, and 1c, a server 2, a security device 10, a database 20, and a signature reconstruction device 100. It includes. The signature reconstruction device 100 may be mounted in the security device 10 or installed in the form of software, or may be directly connected to the security device 10 in the form of a separate device. In FIG. 1, the number of clients is shown as three, but this is only an example and may include various numbers of clients according to actual environments.

The security device 10 functions to detect abnormal traffic by analyzing packets transmitted from the plurality of clients 1a, 1b, 1c. Here, the security device 10 uses a detection pattern list (hereinafter referred to as a signature list) stored in the database 20 to transmit a packet (or a packet transmitted from the plurality of clients 1a, 1b, and 1c to the server 2). Payloads included in the A-PCI can be analyzed and abnormal traffic can be detected. In detail, the security apparatus 10 collects packets and performs a process of sequentially comparing the contents of the packets with each of the signatures included in the signature list. Here, each signature may include at least one signature fragment, and the pattern of the signature fragment may have a form of regular expression.

For example, assume a situation in which the first client 1a sends a packet among the plurality of clients 1a, 1b, and 1c. The security device 10 may analyze the packet transmitted by the first client 1a and extract the contents of the packet. Thereafter, the security apparatus 10 compares whether the contents of the packet transmitted by the first client 1a correspond to each signature stored in the database 20. As described above, the database 20 includes a signature list that includes a plurality of signatures, each signature including a plurality of signature fragments represented by regular expressions. As an example for description of the present invention, it is assumed that the signature list includes n signatures, and each signature is represented by Equation 1 below.

In Equation 1, S _n represents the n-th signature and P ′ represents a signature fragment included in the signature. In Equation 1, A, B, C, D, E, F, G, X, Y, and Z describe different characters to distinguish each signature fragment, but at least some of them may be the same.

In this example, the security device 10 may sequentially compare the contents of the packet transmitted by the first client 1a with the n signatures S ₁ , S ₂ , S _n stored in the database 20. For example, the security device 10 compares the contents of the packet with the pattern of the first signature fragment P'A 'included in the first signature S ₁ , and the contents of the packet are the first signature S _1. To match the pattern of the first signature fragment (P'A '). As a result of the determination, when the content of the packet matches the pattern of the first signature fragment P'A 'included in the first signature S ₁ , the security apparatus 10 may determine the content of the packet and the first signature S _1. ) Compares the pattern of the second signature fragment (P'B ') included in the. In addition, when the content of the packet matches the pattern of the second signature fragment P'B 'included in the first signature S ₁ , the security device 10 may determine the content of the packet and the first signature S ₁ . Compare the pattern of the third signature fragment (P'C ') included in the. As a result of the determination, when the contents of the packet also match the pattern of the second signature fragment P'C 'included in the first signature S ₁ , the security apparatus 10 may determine that the packet is equal to the first signature S ₁ . It will determine that it is the corresponding abnormal traffic and discard the received packet.

On the contrary, the security device 10 does not match the contents of the packet to at least one of the patterns of the signature fragments P'A ', P'B', and P'C 'included in the first signature S ₁ . If so, compare the contents of the packet with the pattern of the first signature fragment of the next signature (second signature S ₂ in this example). Since the process of comparing the contents of the packet made in the security device 10 with the second signatures S ₂ to n-th signature S _n is substantially the same as the comparison process with the first signature S ₁ , overlapping description will be given. Omit.

The security apparatus 10 sequentially compares the contents of the packets with the respective signatures, and if the contents of the packets match at least one signature, the security apparatus 10 determines and discards the packets as abnormal traffic. On the contrary, if the contents of the packet do not match all the signatures, the security apparatus 10 judges the packet transmitted by the first client 1a as normal traffic, and delivers the packet to the server 2.

As such, the security apparatus 10 performs a comparison process on the packets received from the client in the order of signatures belonging to the signature list and the order of signature fragments included in each signature. That is, the complexity of the abnormal traffic inspection process performed through the security device 10 may be determined according to the arrangement of the signature fragments.

The signature reconstruction apparatus 100 according to an embodiment of the present invention analyzes the signature list in the database 20 used by the security apparatus 10, and realigns the sequence of each signature included in the signature list according to the analysis result. Traffic inspection efficiency can be improved. Considerations when the signature reconstruction apparatus 100 according to an embodiment of the present invention reconstructs each signature are as follows.

First, the signature reconstruction apparatus 100 according to an embodiment of the present invention checks the regular expression grammar. Specifically, the signature reconstruction apparatus 100 according to an embodiment of the present invention checks whether a regular expression grammar (eg, metacharacter, character class, etc.) representing an unspecified length or unspecified data type is included in the signature fragment. can do. As mentioned earlier, when a regular expression is represented by a simple data structure, some signature fragments clearly contain attack patterns, while some signature fragments contain regular expression grammars (eg, '*', '+', ". {x,}", etc.). However, a grammar representing an unspecified length or an unspecified data type has a high probability of matching with data included in normal traffic.

For example, in the first signature S ₁ , P'A 'is "* g", P'B' is "abcd", P'C 'is "12345jpg", and the incoming packet is "bcc345defg." Assume a situation with the contents of ". And, "*" is assumed to mean a character of all lengths. In P'A ',' * g 'represents all strings with the last character g (eg, "g", "baaag", "bcdddsg", "baabbaag", etc.), so that other patterns of text, etc. The matching probability will be higher than.

In this example, the security device 10 compares the contents of the packet with "* g", which is the first signature fragment P'A 'of the first signature S ₁ . Here, since the last character is 'g' in the packet transmitted by the security device 10, such as "bcc345defg," the security device 10 has a content of the packet as the first signature fragment P of the first signature S ₁ . A '), and compare the contents of the packet with the second signature fragment (P'B'). The security device 10 then compares the contents of the packet with "abcd" which is the second signature fragment P'B 'of the first signature S ₁ . In this example, since the contents of the packet and the second signature fragment P'B 'of the first signature S ₁ do not coincide with each other, the security device 10 is configured between the contents of the packet and the second signature S ₂ . You will be doing a comparison.

As another example, assume a situation in which the first signature S ₁ is configured in order of P'B 'P'C'P'A'. The security device 10 will compare the contents of the packet with P'B ', the first signature fragment of the first signature S ₁ . In this case, since the contents of the packet and the first signature fragment P'B 'of the first signature S ₁ do not coincide with each other, the security device 10 does not perform further comparison with respect to the first signature S ₁ . , The comparison will be performed via the second signature S ₂ .

Thus, if signature fragments containing metacharacters or character classes of unspecified length or unspecified type are preferentially placed in the signature, various combinations of strings possible due to this metacharacter or character class, even if the packet sent from the client is a normal packet As such, there is a high probability that a check is performed on the second signature fragment of the signature. In other words, the inspection efficiency of abnormal traffic using this signature will be considerably reduced. On the other hand, if signature fragments containing characters of unspecified length or unspecified data type are placed behind the signature so that they can be compared later, the efficiency of inspection of abnormal traffic using the signature can be improved.

Second, the signature reconstruction apparatus 100 according to an embodiment of the present invention considers the length of the pattern. One signature may have a plurality of signature fragments, and each signature fragment may have a different pattern length from each other. In general, for signature fragments, relatively long signature fragments can be seen as sparse, and shorter signature fragments have a high probability of matching the contents of the packet, which is likely to cause high loads in preprocessing. have. Thus, a low load impact can be given to signature fragments with high sparsity within a certain length range, and a low fragmentation signature fragment (eg, signature fragments having a character length less than a certain length) gives high load impact. can do. In addition, in the case where the length is out of the defined range, a load influence degree may be additionally given in consideration of occurrence of a matching cost. Here, the load impact degree indicates a load degree to be generated in the security device or network for each load factor described below.

As such, the signature reconstruction apparatus 100 according to an embodiment of the present invention may reconstruct each signature by using the presence or absence of the aforementioned metacharacter or character class and the length of the pattern included in the signature fragment. In addition, the signature reconstruction apparatus 100 according to an embodiment of the present invention may selectively further consider the matters described below.

Signature reconstruction apparatus 100 according to an embodiment of the present invention may further consider the size of the automata active state. An automata may include a plurality of states, and a large automata active state means that the number of states is large, and that a lot of state transitions are required in the process of searching for a string. The more states of automata, the more conditions must be met before they are matched, so the time to keep the transition state and the time to constantly change the active state and search the entire automata can be directly related to the search load.

In addition, the signature reconstruction apparatus 100 according to an embodiment of the present invention may further consider the size of the automata active state search space. The automata active search space size is another factor that can express the load influence independently of the number of active states. As the size of the search space increases, the load influence increases proportionally. Here, the size of the automata active state search space refers to a memory space reserved for a regular expression grammar having an ambiguous or iterative calculation of a matching range, regardless of the number of active states of the automata. The size of the automata active search space can be thought of as the amount of space to store for all possible strings before determining matching according to the expression in the regular expression. For example, in regular expressions, the character '*' means 'character of any length'. Therefore, assuming that there is a pattern "* .co.kr", information about all strings "possibly including .co.kr" must be stored in memory until .co.kr is detected. . The size of the storage space at this time may be defined as the size of the automata active search space.

2 is a block diagram of the signature reconstruction apparatus 100 according to the first embodiment of the present invention. The signature reconstruction apparatus 100 according to the first embodiment of the present invention may reconfigure the arrangement order of each signature fragment included in the signature so that signature-based abnormal traffic detection can be efficiently performed. To this end, the signature reconstruction apparatus 100 according to the first embodiment of the present invention includes a signature division unit 110, a load element inspection unit 120 and a signature reconstruction unit 140. Here, the signature dividing unit 110, the load element inspection unit 120 and the signature reconstruction unit 140 is divided by function to help the understanding of the present invention, the signature reconstruction device 100 is a form of one controller or software It can be implemented as. In addition, the signature reconstruction apparatus 100 may be implemented with a CPU, MPU, etc. consisting of a single core or multiple cores.

The database 20 may store a plurality of signatures in the form of a signature list. In addition, the signature dividing unit 110 may select one signature from among the signatures stored in the database 20 and divide the signature into a plurality of signature fragments. For example, the signature divider 110 may be a parser, receive a signature, and consider a plurality of signature fragments (for example, a syntax that may be interpreted in consideration of a string pattern and a regular expression grammar). Unit). In addition, the signature dividing unit 110 shows a configuration in which a signature is read by a compiler or an interpreter, and parsing is performed to find out its structure. The signature division method performed by the signature division unit 110 may be performed in various ways without being limited to a specific method.

The load element inspecting unit 120 calculates a first degree of influence for each load element for each signature fragment divided by the signature dividing unit 110. Here, the load element includes at least a part of whether the regular expression grammar indicating the unspecified length or unspecified data type is included in the signature fragment, the length of the pattern of the signature fragment, the automata active state size, and the automata active state search space size. The first embodiment of the present invention is described as the load element inspection unit 120 performs the inspection for the above two load elements, but this is only an example, the inspection made through the load element inspection unit 120 is the two loads Other load elements may be added in addition to the elements. In the following description, it is assumed that the first inspection module 121 considers the existence of a regular expression grammar representing an unspecified length or an unspecified data type, and the second inspection module 122 considers a length of a pattern of a signature fragment. .

The first checking module 121 may include a regular expression grammar (eg, a metacharacter, a character) indicating an unspecified length or an unspecified data type in each signature fragment included in a signature (for example, a first signature) selected from the database 20. Class, etc.), and give an impact accordingly. There are a variety of regular expression grammars (e.g. metacharacters, character classes, etc.) representing unspecified lengths or unspecified data types, and for each regular expression grammar (e.g. metacharacters or character classes). The load to be placed on the security device 10 is also different. Therefore, the first inspection module 121 confirms the existence and type of the regular expression grammar indicating the unspecified length or the unspecified data type, and gives different load influences according to the existence or the kind thereof.

For example, when the first inspection module 121 determines that a regular expression grammar indicating an unspecified length or an unspecified data type does not exist in the signature fragment, the first inspection module 121 sets the first impact degree to a default value (for example, 0 or other load factor). Relatively low value in comparison with the first influence). On the contrary, when the first checking module 121 determines that a regular expression grammar indicating an unspecified length or an unspecified data type exists in the signature fragment, the first inspection module 121 may determine the first influence of the first load factor corresponding to the regular expression grammar (eg, meta). Character, character class, etc.). Therefore, a signature fragment that includes a regular expression grammar having a relatively low load impact among regular expression grammars having an unspecified length or an unspecified data type may have a low impact value, and a regular expression grammar having a relatively high load impact may be used. The included signature fragment may have a high impact value set.

The second inspection module 122 checks the pattern length of the signature fragment and gives different influences according to the pattern length. As described above, a relatively long pattern may be regarded as having high sparsity, and a relatively short pattern may be regarded as having low sparsity. In addition, a relatively short pattern has a high probability of matching with a packet, which may cause a high load. Accordingly, the second inspection module 122 checks the length of the pattern of the signature fragment, and the lower the length of the pattern, the higher the value of the first influence of the second load element. For example, the second inspection module 122 compares the pattern length of the signature fragment with the plurality of pattern length determination ranges, and sets a different value according to the pattern length determination range to which the pattern length of the signature fragment belongs. Can be set to 1 impact. In addition, when the length of the pattern is less than a predetermined pattern length determination range, the second inspection module 122 may additionally assign a load influence in consideration of occurrence of a matching cost.

As described with reference to FIG. 1, the signature reconstruction apparatus 100 according to an embodiment of the present invention may reconstruct a signature by emphasizing a load factor that is determined as a major load factor in abnormal traffic detection. To this end, the signature reconstruction apparatus 100 according to an embodiment of the present invention further includes a signature reconstruction unit 140.

The signature reconstruction unit 140 calculates the final load influence for each signature fragment by using the first influence on each load element for each of the signature fragments calculated by the load element checker 120. For example, assuming that the first influence of the first load element of the first signature fragment is 20 and the first influence of the second load element of the first signature fragment is 50, The final load influence is 70, which is the sum of the first influence of the first load element and the first influence of the second load element. The signature reconstruction unit 140 calculates the final load influence for each signature fragment by performing the process of summing the first influence calculated by the load element inspection unit 120 for each signature fragment.

In addition, the signature reconstruction unit 140 calculates the final load impact for each signature fragment of the signature selected from the database 20 and rearranges the signature fragments according to the final load impact. For example, the signature reconstruction unit 140 compares the final load influence of the signature fragments, and as the final load impact is lower, the signature fragment is placed at the front of the signature, and the higher the final load impact is at the rear of the signature. Relocation to place signature fragments can be performed.

3 is a conceptual diagram illustrating a method of reconstructing one signature through the signature reconstruction apparatus 100 according to the first embodiment of the present invention. In the example shown in FIG. 3, the first signature S ₁ is selected in the database 20, and the first signature S ₁ is the first signature fragment P′A ′ and the second signature fragment P′B. Suppose ') and the third signature fragment (P'C'), and S ₁ includes the signature fragment in order of P'A 'P'B'P'C'. In addition, it is assumed that the load element inspection unit 120 performs the inspection for the two load elements.

The signature dividing unit 110 analyzes the first signature S ₁ in consideration of a string pattern, a regular expression grammar, and the like, and divides the first signature S ₁ into a plurality of signature fragments according to the analysis result. In the present example, according to the above assumption, the signature division unit 110 may include the first signature S ₁ as the first signature fragment P'A ', the second signature fragment P'B', and the third signature fragment ( P'C ').

The load element inspecting unit 120 calculates a first influence degree on the load element for each of the signature fragments P'A ', P'B', and P'C 'divided through the signature division unit 110. . For example, assuming that the load element inspecting unit 120 inspects two load elements, the load element inspecting unit 120 may calculate a first impact degree for each of the signature fragments in the order of the signature fragments. For example, the load element inspecting unit 120 sequentially calculates first influences of the first and second load elements with respect to the first signature fragment P'A ', and the second signature fragment P'B'. ) And the first influence of the first and second load elements, and the first influence of the first and second load elements for the third signature fragment P'C '. As another example, the load element inspecting unit 120 may calculate a first influence degree for each signature fragment in order of load elements. For example, the load element inspector 120 sequentially inspects the first, second, and third signature fragments P'A ', P'B', and P'C 'for the first load element. Afterwards, the first, second and third signature fragments P'A ', P'B', and P'C 'are examined for the second load element to calculate the first influence of each load element for each signature fragment. can do. The order of calculating the first impact degree made through the load element inspecting unit 120 is not limited to the above order, but may be a combination or the reverse order thereof. In addition, in the above description, the first influence calculation through the load element inspecting unit 120 has been described as being sequentially performed in the order of signature fragments or in the order of load elements. However, the calculation process may be performed in parallel at the same time.

The signature reconstruction unit 140 calculates the final load impact for each signature fragment by summing the first impact for each of the signature fragments calculated by the load element inspector 120. Thereafter, the signature reconstruction unit 140 compares the final load influence of each signature fragment, and places the signature fragment having a relatively low magnitude of the final load impact at the front end of the signature, and has a relatively high magnitude of the final load impact. The signature is reconstructed by placing the signature fragment at the end of the signature.

For example, the result calculated by the signature reconstructing unit 140 is the final load impact degree of the first signature fragment P'A 'is 70, and the final load impact degree of the second signature fragment P'B'. Is 60 and the final load impact degree of the third signature fragment P'C 'is 80, the signature reconstruction unit 140 considers the magnitude of the final load impact of each signature fragment, The signature S ₁ may be reconstructed in the order of the second signature fragment P'B ', the first signature fragment P'A', and the third signature fragment P'C '. As another example, the result calculated by the signature reconstruction unit 140 is the final load impact degree of the first signature fragment P'A 'is 80, and the final load impact degree of the second signature fragment P'B'. Is 30 and the final load impact degree of the third signature fragment P'C 'is 50, the signature reconstruction unit 140 considers the magnitude of the final load impact of each signature fragment, The signature S ₁ may be rearranged in order of the second signature fragment P'B ', the third signature fragment P'C', and the first signature fragment P'A '.

4 is a block diagram of the signature reconstruction apparatus 200 according to the second embodiment of the present invention. The signature reconstruction apparatus 200 according to the second embodiment of the present invention may include a signature dividing unit 210, a load element inspecting unit 220, a weight processor 230, and a signature reconstructing unit 240. Here, the signature dividing unit 210, the load element checker 220, the weight processor 230 and the signature reconstructor 240 is divided by function to help the understanding of the present invention, the signature reconstruction device 200 is one It can be implemented in the form of a control unit or software. In addition, the signature reconstruction apparatus 200 may be implemented as a CPU, MPU, etc. consisting of a single core or multiple cores. In addition, the second embodiment of the present invention is that the signature reconstruction apparatus 200 further includes a weight processor 230, and that the signature reconstructor 240 uses the weight processor 230 to reconstruct the signature. Except for the above, it is substantially the same as the first embodiment. Therefore, the following description focuses on differences from the first embodiment.

The weight processor 230 calculates the weights of the plurality of load elements, and reflects the weights of the plurality of load elements in the first degree of influence of each load element output from the load element inspector 220. The second influence is calculated. That is, the weight processor 230 adjusts the first influence values by reflecting the weights to the first influence of each load element, respectively. Reasons for considering weights through the weight processor 230 may include performance (eg, CPU specifications, memory capacity, etc.) of the security device 10 to which the signature reconstruction device or method according to the embodiment of the present invention is applied. This is because the communication environment may be different. For example, in some circumstances, the configuration of each signature fragment (eg, simple text or regular expression) may be heavily involved in the load of security device 10, while in other environments it may not. Therefore, the weight processor 230 calculates a weight for each load element in consideration of the following matters, and adjusts the magnitude of the first influence degree output from the load element inspector 220 using the calculated weights. .

First, the weight processor 230 considers the configuration of the signature stored in the database 20 referred to as the first load element. The signature may consist of simple text only, or may consist of multiple loops and strings containing regular expressions. For example, if most of the signatures in the signature list stored in the database 20 consist of simple text only, the load impact that would occur due to the grammar of the signature would be quite low.

Therefore, the weight processor 230 checks the ratio of the signature fragments composed of simple text in the entire signature, and if the ratio is outside the preset ratio (eg, 30%, 40%, 50%, etc.) 1 You can increase the weight for the load factor. In one embodiment, when the ratio of the simple text in the signature configuration exceeds the preset ratio, the weight processor 230 may determine the weight of the first load element relatively higher than other weights.

In addition, the weight processor 230 may check the pattern search algorithm used by the security apparatus 10, and set the weight of the second load element higher or lower according to the type of the pattern search algorithm. The network environment to which the security device 10 is applied may be limited to a specific service network as well as an internet network through which various traffic flows. The security device 10 may be applied with a different pattern search algorithm according to a network to which the security device 10 is to be applied, and any of the pattern search algorithms may be a method in which a string search time is lengthened depending on the length of the pattern. Therefore, the weight processor 230 may adjust the weight of the second load element by checking the pattern search algorithm used by the security apparatus 10.

The weight is not a fixed value for each load factor. The weighting may be made in consideration of the configuration of the signature, the characteristics of the physical device of the operation equipment, and the traffic characteristics of the network for operating the equipment.

In addition, the weight processor 230 may determine whether additional adjustment is required for the second influence of each load element. For example, the weight processor 230 may check the penalty information and use the penalty information to determine whether additional adjustment is required for the final load impact on the signature fragment described below. The penalty information is information including a penalty condition for determining whether to give an additional load impact to the signature fragment. That is, the penalty information is used to determine whether the signature fragment matches the additional penalty condition included in the penalty information through an additional decision process in addition to the arithmetic load judgment criteria in the inspection process of each load element through the load factor inspector 220. Can be. The weight processor 230 assigns a penalty value to the signature fragment when the weight determination unit 230 meets an additional determination condition (eg, a penalty condition) included in the penalty information.

For example, in addition to calculating the influence on the load factors described above, the weight processor 230 performs a comparison process using an additional penalty condition, and when a signature fragment matching the penalty condition is found, the order of the found signature fragments is finalized. You can assign a penalty value to relocate the load impact. In other words, the weight is a value applied to the first influence on the load factor, and the penalty value is a value applied to the signature fragment.

The signature reconstruction unit 240 receives the second influence of each load element output from the weight processor 230, and calculates the final load influence of the signature fragment using the second influence. In addition, the signature reconstruction unit 240 checks whether a penalty value is assigned to the signature fragment before calculating the final load impact degree, and if the penalty value is assigned, adds both the second impact factor and the penalty value to each of the signature fragments. The final load impact can be calculated.

In addition, the signature reconstruction unit 240 checks whether the final load influence is calculated for all the signature fragments of the signature, and if the final load influence is calculated for all the signature fragments, the signature reconstruction unit 240 according to the magnitude of the final load impact in the signature. The signature is reconstructed by rearranging each signature fragment. Since the operation performed through the signature reconstruction unit 240 has been described in detail with reference to FIGS. 2 and 3, redundant descriptions thereof will be omitted.

The signature reconstruction apparatus 200 according to the second embodiment of the present invention may calculate the influence on the load factor by reflecting the weight (for example, considering the signature configuration and the pattern search algorithm). The weights play a role in increasing the proportion of the load incurred cost calculated in the load factor that has a high impact on search performance when applied to the integration cost (eg, final load impact). By reflecting the weight of the size adjusted according to the situation, it is possible to increase the probability of detecting whether the signature is loaded than when the weight is not applied, and it is possible to guarantee a small search time.

5 is a conceptual diagram illustrating a method of reconstructing one signature through the signature reconstruction apparatus 200 according to the second embodiment of the present invention. In the example illustrated in FIG. 5, similar to the example illustrated in FIG. 3, the first signature S ₁ is selected in the database 20, and the first signature S ₁ is the first signature fragment P′A ′. And a second signature fragment P'B 'and a third signature fragment P'C', wherein the first signature S ₁ is in the order of P'A 'P'B'P'C' Assume a situation involving It is assumed that the load element inspecting unit 220 performs inspection on two load elements. In addition, since the second embodiment of the present invention is substantially the same as the first embodiment except that weight is considered, the following description will focus on differences.

The weight processor 230 has a plurality of first influence degrees (in FIG. 5, the first influence degree of the first load element and the first influence degree of the second load element) of the load elements output from the load element inspecting unit 220. By applying the weights for the load elements, the second influence of each load element (in FIG. 5, the second influence of the first load element and the second influence of the second load element) is calculated. The example illustrated in FIG. 5 assumes a situation in which the weight for the first load element is higher than the weight for the second load element. For example, assume that the first influence factor and the second influence factor of the first load element are each 30, and the weight of the first load element and the weight of the second load element are 1.5 and 0.5, respectively. Then, the second impact factor of the first load element will be 45, and the second impact factor of the second load element will be 15. In addition, it is assumed that the first influence factor and the second influence factor of the first load element are 60 and 30, respectively, and the weight of the first load element and the weight of the second load element are 1.5 and 0.5, respectively. Then, the second influence of the first load element will be 90, and the second influence of the second load element will be 15.

The signature reconstruction unit 240 calculates the final load influence of each signature fragment by summing the second influences reflecting the weights through the weight processor 230. In addition, when the final load impact calculation of all the signature fragments included in the signature is completed, the signature reconstruction unit 240 orders the signature fragments in order of P'B 'P'C' P'A 'according to the magnitude of the final load impact. By relocating, the signature is reconstructed.

6 is a block diagram of the signature reconstruction apparatus 300 according to the third embodiment of the present invention. The signature reconstruction apparatus 300 according to the third embodiment of the present invention includes a signature division unit 310, a load element inspection unit 320, a weight processing unit 330, a signature reconstruction unit 340, and an automata generator 350. It can be configured to include. Here, the signature divider 310, the load factor checker 320, the weight processor 330, the signature reconstructor 340, and the automata generator 350 are classified by functions to help the present invention. The reconstruction device 300 may be implemented in the form of one controller or software. In addition, the signature reconstruction apparatus 300 may be implemented as a CPU, MPU, etc. consisting of a single core or multiple cores. In addition, the third embodiment of the present invention further includes an automata generator 350 for generating the automata to be considered through the load element inspector 320 and the load element inspector 320 considering the N load elements. It is substantially the same as a 1st Example or a 2nd Example except for including. Therefore, the description will be made below based on differences from the first embodiment or the second embodiment.

The signature dividing unit 310 selects one signature from among the signatures stored in the database 20, and divides the signature into a plurality of signature fragments.

The automata generator 350 may sequentially generate or automatically generate automata for each of the plurality of signature fragments divided by the signature divider 310. Here, the automata represents an abstract model for the digital computer and may be in a finite state. A finite state automata includes a finite state, an input, a state transition function, one initial state, and at least one end state. In general, a finite state model is a model for processing input that is continuously input. An example of an automata generated by the automata generator 350 is illustrated in FIG. 7.

7 is a conceptual diagram illustrating the concept of an automata (for example, a finite state automata). In Fig. 7, circles containing numerals 0 to 5 represent the states of the finite automata, respectively, and letters (a, b, d) written in the arrows indicate state transition conditions. If the entered character satisfies the transition condition, the transition is made in the direction of the arrow. For example, a circle with 0 indicates a start state, and when a is entered in the start state, the state transitions to state 1. Also, a circle marked 5 consisting of two concentric circles represents the final state. Starting from the start state, when the state reaches the end state as a result of transition, it means that the string to be searched is searched. Referring back to FIG.

The load element inspecting unit 320 calculates a first influence degree of each load element for each signature fragment through the signature division unit 310. Unlike the first impact factor calculated for the two load elements in the first and second embodiments, the load element inspection unit 320 includes N load elements (for example, three, four, or more). The first influence on can be calculated. For example, the load factor includes at least some of whether the signature fragment contains a regular expression grammar representing an unspecified length or an unspecified data type, the length of the pattern of the signature fragment, the automata active size, and the automata active search space size. do. In FIG. 6, four load elements are illustrated, but this is only an example, and the load element inspecting unit 320 may be configured for each load element in consideration of some or all of the above load elements, or other load elements other than the load elements. 1 Impact can be calculated.

The load element inspecting unit 320 may calculate a first degree of influence on at least some or all of these four load elements, or other load elements other than the load elements described above. In the following, it is assumed that the load element inspecting unit 320 calculates a first degree of influence on four load elements, including four inspection modules 321, 322, 323, and 324. For example, the first inspection module 321 considers the existence of a regular expression grammar representing an unspecified length or an unspecified data type, the second inspection module 322 considers the length of the pattern of the signature fragment, and the third inspection. Assume that the module 323 considers the size of the automata active state, and the fourth inspection module 324 considers the size of the automata active state search space. Here, since operations performed through the first and second test modules 321 and 322 are substantially the same as the first and second test modules 121 and 122 described with reference to FIG. 2, redundant descriptions thereof will be omitted.

The third inspection module 323 may give a first influence of the third load element according to the size of the automata of the signature fragment generated by the automata generator 350. As described above, the high activation state of the automata means that a lot of state transitions are required in the process of searching for a string. For example, when an abnormal traffic is detected by using a signature fragment with a high automata, many conditions must be satisfied until a match is found, so the time to keep the transition state and the automata are changed continuously. The search time can be a direct factor in the search load. Accordingly, in consideration of these characteristics, the third inspection module 323 may assign a higher value as the active state is higher and a lower value as the active state is lower to the first influence of the third load element.

The fourth inspection module 324 may give the first influence of the fourth load element according to the size of the active state search space of the automata of the signature fragment generated by the automata generator 350. The memory space reserved for the regular expression grammar that has a small number of active states but an ambiguous matching range or performs an iterative calculation may be expressed as the size of the active state search space. This is another major element of automata verification that can express the load impact independent of the number of active states, and the load impact is given in proportion to the size of the search space.

The weight processor 330 calculates a second influence degree of each load element by reflecting weights to the first influence degree of each load element output from the load element inspector 320. That is, the weight processor 330 adjusts the first influence value of each load element by reflecting the weight in the first influence degree of each load element. Unlike the second embodiment, the weight processor 330 may not only have a first influence on the first and second load elements output from the first and second inspection modules 321 and 322, but also a third and fourth. The second influence on the first to fourth load elements by applying weights for the third and fourth load elements to the first influence on the third and fourth load elements output from the inspection modules 323 and 324. The degree can be calculated. Meanwhile, since the matters to be considered when reflecting the weights of the first and second load elements have been described in detail above, the following description will focus on the matters to be considered when reflecting the weights of the third and fourth load elements. This is done.

The weight processor 330 may consider the performance of the security equipment to which the signature reconstruction apparatus 300 or the method is applied. Although the signature reconstruction apparatus 300 according to the embodiments of the present invention assumes a high performance system that processes a large network trunk of equipment that operates a signature, the technology to which the embodiments of the present invention are applied may operate based on software. The environment of the operating equipment can be variable. In low-memory systems, the size of the automata active search space is a major review factor, and it is correct to increase the weight as much as possible so that the pattern can be processed in a lower order.

Accordingly, the weight processing unit 330 may determine that the signature configuration referred to as the first load element is a regular expression (the regular expression affects the automata active state or automata active state search space size), and the memory in the security device 10. When the amount of free space is small, weights for the third load element and the fourth load element may be relatively increased. In addition, when the signature configuration is simple text, the weight processing unit 330 may increase the weight of the third load element because the number of characters constituting the text affects the number of states of the automata.

Each factor representing a load is related to each other. For example, suppose that one signature fragment is a text pattern that exceeds 100 bytes. Text patterns exceeding 100 bytes may include, for example, more than 100 numbers or combinations of characters, and automata generated for this text pattern may contain more than 100 states, thus enabling the activation of automata. The state size is also relatively large. However, in the case of a large text pattern with a signature fragment, it is difficult to find a string that perfectly matches this, so that the number of relatively repetitive calculations is performed. Therefore, the size of the automata active search space is not large.

As another example, a signature fragment such as '. {4,100}', which means 4 to 100 or more repetitions of the same character, does not have a long length, so the size of the active state of the automata is not large. However, the size of the automata active search space must be large because matching possibilities must be ensured for a string range of at least 4 bytes to 100 bytes until the end of the search.

As such, the weight processor 330 may be different for each load element in consideration of the performance of the apparatus for applying the signature reconstruction apparatus 300 or the method according to the embodiments of the present invention, and the structure of each signature included in the signature list. Or at least two different) weights. In addition, the above has described the situation of increasing or decreasing the weight. However, this is only an example, and in addition to the above conditions, the weight of each load element may be calculated or adjusted through various conditions or according to various situations.

Like the second embodiment, the weight processor 330 may check the penalty information and determine whether to assign a penalty value to the signature fragment using the penalty information. Since the description of the method for adjusting the final load impact degree of the signature fragment using the penalty information has been described in detail with reference to FIG. 4, redundant descriptions are omitted.

The signature reconstructor 340 receives the second influence of each load element output from the weight processor 330, and calculates the final load influence of the signature fragment using the second influence. In addition, when the penalty value is assigned to the signature fragment, the signature reconstruction unit 340 may calculate the final load impact degree of the signature fragment by summing both the second impact factor and the penalty value of each load element. Thereafter, the signature reconstruction unit 340 reconstructs the signature by rearranging each signature fragment according to the magnitude of the final load impact degree in the signature. Since the operation performed through the signature reconstruction unit 340 has been described in detail above, redundant description thereof will be omitted.

8 is a conceptual diagram illustrating a method of reconstructing one signature through the signature reconstruction apparatus 300 according to the third embodiment of the present invention. In the example illustrated in FIG. 8, similar to the example illustrated in FIGS. 3 and 5, the first signature S ₁ is selected in the database 20, and the first signature S ₁ is the first signature fragment P ′. A '), a second signature fragment (P'B') and a third signature fragment (P'C '), wherein the first signature (S ₁ ) is P'A'P'B'P'C' Assume a situation involving a signature fragment. In addition, it is assumed that the load element inspecting unit 320 performs a test on four load elements.

Referring to FIG. 8, the load element inspecting unit 320 is configured to generate each load element for each of the signature fragments P'A ', P'B', and P'C 'divided through the signature division unit 310. Calculate the impact. For example, the load element inspecting unit 320 may calculate a first degree of influence on the first to fourth load elements in the order of the signature fragments or in the order of the load elements. As described with reference to FIG. 3, the calculation of the first influence degree made through the load element inspecting unit 320 may be performed sequentially as well as in parallel. As described with reference to FIG. 6, the first load element indicates whether a regular expression grammar indicating an unspecified length or an unspecified data type is included in the signature fragment, and the second load element indicates the length of the pattern of the signature fragment. The third load element may indicate an automata active state size, and the fourth load element may indicate an automata active state search space size.

The weight processor 330 calculates a second influence degree of each load element by applying weights for the plurality of load elements to the first influence degrees of the first to fourth load elements output from the load element inspector 320. In addition, the weight processor 330 may calculate the second influence degree in consideration of a penalty condition.

The signature reconstructor 340 calculates the final load influence of each signature fragment by summing the second influences of each load factor with weights (or penalties) through the weight processor 330. In addition, when the final load impact calculation of all the signature fragments included in the signature is completed, the signature reconstructor 340 orders the signature fragments in order of P'B 'P'C' P'A 'according to the magnitude of the final load impact. By relocating, the signature is reconstructed.

9 is a flowchart illustrating a signature reconstruction method according to an embodiment of the present invention. As described above, the signature reconstruction method according to an embodiment of the present invention may reconstruct each signature by reconstructing each signature fragment included in the signature so that the signature-based abnormal traffic detection technique can be performed more efficiently. The signature reconstruction method according to an embodiment of the present invention may be performed by the apparatus described above with reference to FIGS. 1 through 8 (for example, a plurality of configurations or an apparatus including one controller), or in another embodiment. It can be applied by being installed in the security device in the form of software. In the following description is omitted to omit the overlapping parts described above.

In step S110, a signature (eg, a first signature) of one of the signatures stored in the database 20 is selected. As described above, the database may include a plurality of signatures in the form of a signature list.

In step S120, the signature (for example, the first signature) selected through step S110 is divided into a plurality of fragments. For example, step S120 may be performed by receiving a signature using a parser or the like and dividing the signature into a plurality of signature fragments (for example, in a unit that can parse a syntax) in consideration of a string pattern and a regular expression grammar. Can be. Since the parsing method performed in step S120 exists in various ways, the present invention does not limit it to a specific method.

In operation S130, a signature fragment of one of the signature fragments divided through the operation S120 may be selected, and a first influence of each load element of the selected signature fragment may be calculated. The load factor includes at least some of whether a regular expression grammar representing an unspecified length or unspecified data type is included in the signature fragment, the length of the pattern of the signature fragment, the size of the automata active state, and the size of the automata active state search space. For example, step S130 may calculate the first impact of two, three, four or more load factors for the selected signature fragment. The load element is not limited to that described above, and other load elements may be further considered. In addition, since the method of calculating the first impact degree for each load element has been described in detail above, redundant description thereof will be omitted.

Step S140 is a step of calculating weights for the plurality of load elements. As described above, the signature reconstruction method according to an embodiment of the present invention calculates a weight for each load element in consideration of the configuration of the signature, the type of pattern search algorithm, the free space of the system memory, and the like. Since the method for calculating the weight and the conditions used therein have been described in detail above, redundant descriptions will be omitted.

In step S150, the second influence of each load element is calculated by applying weights for the plurality of load elements calculated in step S140 to the first influence of each load element calculated in step S130.

After step S150, the penalty information, which is illustrated by block A in FIG. 9, is checked, and whether the signature fragment matches the penalty condition included in the penalty information is checked. As a result of the check, a step of assigning a penalty value to the signature fragment matching the penalty condition may be performed. The step of checking using the penalty condition and assigning a penalty value to the signature fragment matching the penalty condition is not essential. In addition, since the description of these steps has been described in detail above, redundant descriptions are omitted.

In step S160, for each signature fragment, the final load impact for each signature fragment may be calculated by summing the second impact of each load element.

In step S170, the final load influence on all signature fragments is calculated from the signature selected through step S110. As a result, when the final load influence on all the signature fragments is calculated, step S180 is performed. If another signature fragment is further present in the signature selected in step S110, steps S130 to S160 may be further performed. Through step S170, steps S130 to S160 may be repeated until the final load impact for all signature fragments is calculated in one signature.

In the above description, it has been described that steps S130 to S160 are repeatedly performed in the order of signature fragments divided through step S120. However, this is merely an example, and steps S130 to S160 may be performed by calculating first impact degree, second impact degree, and final load impact degree in parallel with respect to each signature.

Step S180 is performed when the final load impact calculation for one signature (eg, the first signature) is completed, and the order of each signature fragment included in the signature is determined according to the final load impact of each signature fragment. It is the stage of relocation. As described above, the step S180 may be performed by relocating the signature fragment having a low final load impact to the front end of the signature and relocating the signature fragment having a high final load impact to the rear end of the signature.

Step S190 is a step for checking whether there is another signature in the database 20 (eg, in the signature list). As a result of the check, when there is another signature for which the signature is not reconstructed, steps S110 to S180 are performed again. Otherwise, all the processes are terminated.

The exemplary methods according to the present invention are computer program products recorded on a recording medium readable by a computer (including an apparatus having an information processing function), program instructions executed by a processor, a software module, microcode, a computer, Applications, logic circuits, application specific semiconductors, or firmware can be implemented in a variety of ways. Examples of the computer-readable recording medium include, but are not limited to, a ROM, a RAM, a CD, a DVD, a magnetic tape, a hard disk, a floppy disk, a hard disk, an optical data storage device, and the like. In addition, the computer-readable recording medium may be distributed over network-connected computer systems so that computer readable codes can be stored and executed in a distributed manner.

The above description is merely illustrative of the present invention, and various modifications may be made by those skilled in the art without departing from the technical spirit of the present invention.

100: signature reconstruction device 110: signature divider
120: load element inspection unit 140: signature reconstruction unit
200: signature reconstruction device 210: signature divider
220: load element inspection unit 230: weight processing unit
240: signature reconstruction unit

Claims (10)

Signature reconfiguration method for signature based abnormal traffic detection,
Selecting one signature from a signature list stored in a database, and dividing the selected signature into a plurality of signature fragments;
Inspecting the plurality of signature fragments against a plurality of load elements to produce a first degree of influence for each of the plurality of load elements;
Calculating a second influence degree for each of the plurality of load elements by applying weights of the plurality of load elements to the first influence degree, respectively;
Assigning a penalty value to the signature fragment when the signature fragment included in the plurality of signature fragments meets a preset penalty condition;
Calculating a final load impact on each signature fragment based on a second impact corresponding to each signature fragment among the calculated second impact and a penalty value assigned to each signature fragment; And
And reordering the plurality of signature fragments according to the calculated magnitude of the final load impact. The method of claim 1,
And wherein at least two of the weights for the plurality of load elements are different. 3. The method of claim 2,
And the weight is adjusted according to at least one of a signature configuration, a pattern search algorithm, and a specification of a security device that performs signature-based abnormal traffic detection. The method of claim 1,
Inspection of the plurality of load elements,
Including the grammar check of the pattern included in the signature fragment, wherein calculating the first impact degree comprises the step of calculating a first impact degree according to the grammar of the pattern included in the signature fragment Signature reconstruction method. The method of claim 1,
Inspection of the plurality of load elements,
And including checking the length of the signature fragment, and calculating the first influence, calculating the first impact according to the length checking such that the smaller the length of the signature fragment is, the larger the size becomes. Characterized by the signature reconstruction method. The method of claim 1,
Inspection of the plurality of load elements,
Checking an automata active state size for the signature fragment, and calculating the first impact level comprising calculating a first influence according to the automata active state size of the signature fragment. Reconstruction method. The method of claim 1,
Inspection of the plurality of load elements,
Checking the size of the automata active state search space for the signature fragment, wherein calculating the first impact includes calculating a first degree of influence according to the size of the automata active state search space of the signature fragment. Characterized by the signature reconstruction method. The method of claim 1,
And the final load impact is determined by summing the second impact corresponding to each signature fragment and the penalty value assigned to each signature fragment. A signature reconstruction device for signature-based abnormal traffic detection,
A signature division unit that selects one signature from a signature list stored in a database, and divides the selected signature into a plurality of signature fragments;
A load element inspecting unit inspecting the plurality of signature fragments with respect to a plurality of load elements and calculating a first degree of influence for each of the plurality of load elements;
A weight processor configured to calculate a second influence degree for each of the plurality of load elements by applying weights of the plurality of load elements to the first influence degree, respectively; And
When a signature fragment included in the plurality of signature fragments meets a preset penalty condition, a penalty value is assigned to the signature fragment, and a second impact degree corresponding to each signature fragment among the calculated second impact degrees and the The signature reconstruction unit calculates a final load impact for each signature fragment based on the penalty value assigned to each signature fragment and rearranges the sequence of the plurality of signature fragments according to the calculated magnitude of the final load impact. Signature reconstruction apparatus comprising a. A signature reconstruction device for signature-based abnormal traffic detection,
A signature reconstruction apparatus comprising a control unit for performing a method according to any one of claims 1 to 8.

Images